Line 1: |
Line 1: |
− | ==Summary== | + | <p style="color:red">The information on this page is updated in accordance with the [https://wiki.teltonika-networks.com/view/FW_%26_SDK_Downloads'''00.07.07.1'''] firmware version .</p> |
| | | |
− | This article will guide you through configuring a '''Site-to-Site IPsec Tunnel''' between Teltonika routers/gateways and Microsodt Azure VPN gateway.
| + | =Introduction= |
| | | |
− | ==Prerequisite== | + | A site-to-site connection using an IPsec tunnel between Teltonika devices and an Azure Virtual Network Gateway is a secure method to link two separate networks over the internet. This setup ensures that data transmitted between the on-premises network, managed by Teltonika routers, and the Azure cloud environment is encrypted and secure. |
| + | |
| + | |
| + | If You have trouble seeing any of the settings, be sure to enable "'''Advanced mode'''" |
| + | [[File:Networking rutos manual webui basic advanced mode 75.gif|none|border|center|class=tlt-border]] |
| + | |
| + | =Topology= |
| + | |
| + | [[File:VNGW_TN_Topology.png|none|border|center|class=tlt-border|600px]] |
| + | |
| + | =Prerequisite= |
| | | |
| The user needs an Azure account with an active subscription. | | The user needs an Azure account with an active subscription. |
| | | |
− | ==Azure Platform==
| + | =Azure Platform= |
| | | |
− | ===Create a VPN Gateway on the Azure Platform===
| + | ==Create a VPN Gateway on the Azure Platform== |
− | ----
| |
| | | |
| Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''. | | Log into the Azure portal, search for "Virtual Network Gateways" and click on '''Create'''. |
− | <br> </br>
| + | |
− | [[File:VNGW_01.png|600px|center]] | + | [[File:VNGW_01.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
| + | |
| Use the information and images below as reference to complete the settings: | | Use the information and images below as reference to complete the settings: |
− | <br> </br>
| + | |
| + | |
| '''Projects details''' | | '''Projects details''' |
| * '''Suscription:''' Your suscription. | | * '''Suscription:''' Your suscription. |
Line 38: |
Line 49: |
| * '''Configure BGP:''' Disabled. | | * '''Configure BGP:''' Disabled. |
| | | |
− | <br> </br>
| |
− | [[File:VNGW_02.png|600px|center]]
| |
− | <br> </br>
| |
− | [[File:VNGW_03.png|600px|center]]
| |
− | <br> </br>
| |
− | [[File:VNGW_04.png|600px|center]]
| |
| | | |
− | ====Create a Virtual Network==== | + | [[File:VNGW_02.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:VNGW_03.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:VNGW_04.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | ===Create a Virtual Network=== |
| ---- | | ---- |
| In case you do not have previously created a virtual network, click on the blue URL link to create one and use the default settings as shown in the image below: | | In case you do not have previously created a virtual network, click on the blue URL link to create one and use the default settings as shown in the image below: |
− | <br> </br>
| |
− | [[File:VNGW_06.png|600px|center]]
| |
| | | |
− | ====Finish the VPN gateway configuration==== | + | [[File:VNGW_05.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | ===Finish the VPN gateway configuration=== |
| ---- | | ---- |
− | After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we’ll leave it as default. | + | After finishing the previous configuration, you can continue with the tags. This section is not mandatory; therefore, we left it as default and clicked on '''Review + create''' to check that the network gateway has the parameters shown below, and then click on the '''Create''' button to finish the configuration. |
− | <br> </br>
| |
− | [[File:VNGW_07.png|600px|center]]
| |
| | | |
− | Click on '''Review + create''', check that the network gateway has the parameters as shown below, and click on the '''Create''' button to finish.
| + | [[File:VNGW_06.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
− | [[File:VNGW_08.png|600px|center]] | + | ==Create a local network Gateway== |
| | | |
− | ===Create a local network Gateway===
| |
− | ----
| |
| In the search bar, look for "Local Network Gateways" and click on '''Create'''. | | In the search bar, look for "Local Network Gateways" and click on '''Create'''. |
− | <br> </br>
| + | |
− | [[File:VNGW_09.png|600px|center]] | + | [[File:VNGW_07.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
− | Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a static public IP address on its WAN interface. | + | |
| + | '''Fill in the configuration fields accordingly and add the remote router address space (LAN network) and the FQDN if the router does not have a static public IP address on its WAN interface. |
| + | ''' |
| | | |
| '''Projects details''' | | '''Projects details''' |
Line 80: |
Line 92: |
| * '''Address Space:''' The router's LAN network(s) | | * '''Address Space:''' The router's LAN network(s) |
| * '''Configure BGP settings:''' No. | | * '''Configure BGP settings:''' No. |
− | <br> </br>
| + | |
− | [[File:VNGW__10.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:VNGW_08.png|none|border|left|class=tlt-border|600px]] |
− | [[File:VNGW__11.png|600px|center]] | + | |
| + | |
| + | [[File:VNGW_09.png|none|border|left|class=tlt-border|600px]] |
| | | |
| Verify the configuration and click on '''Create''' to finish. | | Verify the configuration and click on '''Create''' to finish. |
− | <br> </br>
| |
− | [[File:VNGW_12.png|600px|center]]
| |
| | | |
− | ===Create a connection=== | + | |
− | ----
| + | [[File:VNGW_10.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | ==Create a connection== |
| + | |
| Search for "Connections" and create a new one: | | Search for "Connections" and create a new one: |
− | <br> </br>
| + | |
− | [[File:VNGW_13.png|600px|center]] | + | [[File:VNGW_11.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
− | Complete the connection settings using the information and images below as reference: | + | '''Complete the connection settings using the information and images below as reference:''' |
− | <br> </br>
| + | |
| + | |
| '''Projects details''' | | '''Projects details''' |
| * '''Suscription:''' Your suscription. | | * '''Suscription:''' Your suscription. |
Line 108: |
Line 124: |
| '''Virtual network Gateway''' | | '''Virtual network Gateway''' |
| * '''Virtual network gateway:''' Vnet1GW. | | * '''Virtual network gateway:''' Vnet1GW. |
− | * '''Local network gateway:''' toRegion.
| |
| * '''Local network gateway:''' toRegion. | | * '''Local network gateway:''' toRegion. |
| * '''Shared Key(PSK):''' Your Pre-shared key (It must match the one in the router IPsec configuration). | | * '''Shared Key(PSK):''' Your Pre-shared key (It must match the one in the router IPsec configuration). |
Line 124: |
Line 139: |
| * '''Ingress NAT Rules:''' 0 selected. | | * '''Ingress NAT Rules:''' 0 selected. |
| * '''Egress NAT Rules:''' 0 selected. | | * '''Egress NAT Rules:''' 0 selected. |
− | <br> </br>
| + | |
− | [[File:VNGW_14.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:VNGW_12.png|none|border|left|class=tlt-border|600px]] |
− | [[File:VNGW_15.png|600px|center]] | + | |
− | <br> </br>
| + | |
− | [[File:VNGW_16.png|600px|center]] | + | [[File:VNGW_13.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
| + | |
| + | [[File:VNGW_14.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| '''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router. | | '''Note:''' You can use different crypto proposals; however, you must ensure that they match on the router. |
− | <br> </br>
| |
− | [[File:VNGW_17.png|600px|center]]
| |
| | | |
− | '''Note:''' the tag field can be leaved empty.
| |
− | <br> </br>
| |
− | Check that the parameters match and click on '''Create'''.
| |
− | <br> </br>
| |
− | [[File:VNGW_18.png|600px|center]]
| |
− | ==Teltonika device configuration==
| |
| | | |
− | ===DDNS configuration=== | + | Click on '''Review + Create''', then verify the configuration and click on '''Create''' to finish. |
− | ----
| + | |
| + | [[File:VNGW_15.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | =Teltonika Device Configuration= |
| + | |
| + | ==DDNS configuration== |
| + | |
| Log into the router via WebUI. | | Log into the router via WebUI. |
− | <br> </br>
| + | |
− | In case you don’t have a public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]] | + | |
− | <br> </br>
| + | In case you don’t have a static public IP address on the WAN interface, you can enable the Dynamic DNS service as explained here: [[DDNS Configuration Examples]] |
| + | |
| + | |
| '''Path:''' WebUI > Services > Dynamic DNS. | | '''Path:''' WebUI > Services > Dynamic DNS. |
− | <br> </br>
| + | |
− | [[File:TN_DDNS.png|600px|center]] | + | |
− | <br> </br>
| + | '''Note:''' On devices other than the RUTX series, you will need to download the DDNS service from the Package Manager. |
| + | |
| + | |
| + | [[File:TN_DDNS.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| After finishing the configuration, you should get the public IP address of the created domain. | | After finishing the configuration, you should get the public IP address of the created domain. |
− | <br> </br>
| |
− | [[File:TN_DDNS02.png|600px|center]]
| |
| | | |
− | ===IPsec configuration=== | + | |
− | ----
| + | [[File:TN_DDNS02.png|none|border|left|class=tlt-border|600px]] |
− | Locate the following path: WebUI > Services > IPsec ; and a new instance: | + | |
− | <br> </br>
| + | ==IPsec configuration== |
| + | |
| + | |
| + | Locate the following path: '''WebUI > Services > IPsec''' ; and a new instance: |
| + | |
| + | |
| '''Instance details''' | | '''Instance details''' |
| * '''Enable:''' On. | | * '''Enable:''' On. |
Line 186: |
Line 213: |
| * '''Force crypto Proposal:''' off. | | * '''Force crypto Proposal:''' off. |
| * '''lifetimes:''' Empty. | | * '''lifetimes:''' Empty. |
− | <br> </br>
| + | |
− | [[File:TN_IPSEC01.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:TN_IPSEC01.png|none|border|left|class=tlt-border|600px]] |
− | [[File:TN_IPsec02.png|600px|center]] | + | |
− | <br> </br>
| + | |
− | [[File:TN_IPsec03.png|600px|center]] | + | [[File:TN_IPsec02.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
− | [[File:TN_IPsec04.png|600px|center]] | + | |
| + | [[File:TN_IPsec03.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| + | [[File:TN_IPsec04.png|none|border|left|class=tlt-border|600px]] |
| | | |
| '''Note:''' in this example, we use DH Group equals to MODP1024 which is the same to Group 2 selected on the Azure platform. | | '''Note:''' in this example, we use DH Group equals to MODP1024 which is the same to Group 2 selected on the Azure platform. |
− | <br> </br>
| |
− | [[File:TN_IPsec05.png|600px|center]]
| |
| | | |
− | ==Check Site to Site Communication== | + | |
| + | [[File:TN_IPsec05.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | =Check Site to Site Communication= |
| If you followed the configuration steps, you should see that the Site to Site connection has been successfully established. | | If you followed the configuration steps, you should see that the Site to Site connection has been successfully established. |
− | <br> </br>
| + | |
− | [[File:TN_IPsec06.png|600px|center]] | + | [[File:TN_IPsec06.png|none|border|left|class=tlt-border|600px]] |
− | <br> </br>
| + | |
| + | |
| You can also check in the Azure platform that the connection has been established: | | You can also check in the Azure platform that the connection has been established: |
− | <br> </br>
| + | |
− | [[File:TN_IPsec07.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:TN_IPsec07.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| Check connectivity between the router LAN and a VM inside the Azure virtual network you may have: | | Check connectivity between the router LAN and a VM inside the Azure virtual network you may have: |
− | <br> </br>
| + | |
− | [[File:TN_IPsec08.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:TN_IPsec08.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| Test connectivity from a host in the router’s LAN to the VM: | | Test connectivity from a host in the router’s LAN to the VM: |
− | <br> </br>
| + | |
− | [[File:TN_IPsec09.png|600px|center]] | + | |
− | <br> </br>
| + | [[File:TN_IPsec09.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | |
| Connect to the VM in Azure, test connectivity to the Router’s LAN interface. | | Connect to the VM in Azure, test connectivity to the Router’s LAN interface. |
− | <br> </br>
| |
− | [[File:TN_IPsec10.png|600px|center]]
| |
| | | |
− | ==See Also== | + | [[File:TN_IPsec10.png|none|border|left|class=tlt-border|600px]] |
| + | |
| + | =See Also= |
| * [[Dynamic DNS]] - general information on the DDNS service. | | * [[Dynamic DNS]] - general information on the DDNS service. |
| * [[DDNS Configuration Examples]] - additional examples for different DDNS providers. | | * [[DDNS Configuration Examples]] - additional examples for different DDNS providers. |
| | | |
− | ==External links==
| + | =External links= |
| * https://www.noip.com | | * https://www.noip.com |
| * https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal | | * https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal |